La seguridad en redes SDN y sus aplicaciones

Introduction: The review article is the product of the research on Security in SDN networks and their applications, developed at the District University in 2020, presenting the latest advances, that have been made in security. Problem: The security weaknesses that SDN networks have had, due to being a new architecture. This has not allowed traditional networks to be replaced.   Objective: To carry out a review of the state of the art of SDN networks, focusing research on the security of the control layer and its advances. Methodology: The descriptive method is implemented, consulting databases such as Scopus, IEEE and ScienceDirect, using the following search criteria: SDN networks, security in SDN networks, applications with SDN networks and OpenFlow protocol. It is shown as a research sample: the Asian, European and American continents with years of research from 2014 to 2020. Results: Great advances have been made in terms of security for SDN networks, which allows us to see an early solution to the weaknesses that it currently faces.   Conclusion: SDN networks will solve all the challenges they face and will be consolidated as a solid and reliable architecture.   Originality: an important focus is taken on the security of SDN networks and the great development that has occurred in this regard is evident.   Limitations: SDN networks are a new architecture, so their development has been very little and advances in security have been significantly affected.Introducción: El artículo de revisión es producto de la investigación Seguridad en redes SDN y sus aplicaciones, desarrollada en la Universidad Distrital en el año 2020, presentando los últimos avances que se han logrado en seguridad. Problema: Las debilidades en seguridad que han tenido las redes SDN debido a ser una arquitectura nueva, esto no ha permitido que se reemplacen las redes tradicionales. Objetivo: realizar una revisión del estado del arte de las redes SDN enfocando la investigación la seguridad de la capa de control y sus avances. Metodología: se emplea el método descriptivo, se consultaron bases de datos como Scopus, IEEE y ScienceDirect, utilizando los siguientes criterios de búsqueda: SDN networks, security in SDN networks, applications with SDN networks y OpenFlow protocol, se tomó como muestra de investigación a los continentes asiático, europeo y americano con años de investigación desde el año 2014 hasta el año 2020. Resultados: se han desarrollado grandes avances en seguridad para las redes SDN, lo que permite ver una pronta solución a las debilidades que afronta en la actualidad. Conclusión: las redes SDN lograran resolver todos los retos a los que se enfrentan y se consolidara como una arquitectura sólida y confiable. Originalidad: se realiza un enfoque importante en la seguridad de las redes SDN y se evidencia el gran desarrollo que se ha presentado en este aspecto. Limitaciones: las redes SDN son una arquitectura nueva por lo que su desarrollo ha sido muy poco y los avances en seguridad se vieron afectados significativamente

Programmable Edge-to-Cloud Virtualization for 5G Media Industry: The 5G-MEDIA Approach

To ensure high Quality of Experience (QoE) for end users, many media applications require significant quantities of computing and network resources, making their realization challenging in resource constrained environments. In this paper, we present the approach of the 5G-MEDIA project, providing an integrated programmable service platform for the development, design and operations of media applications in 5G networks, facilitating media service management across the service life cycle. The platform offers tools to service developers for efficient development, testing and continuous correction of services. One step further, it provides a service virtualization platform offering horizontal services, such as a Media Service Catalogue and accounting services, as well as optimization mechanisms to flexibly adapt service operations to dynamic conditions with efficient use of infrastructure resources. The paper outlines three use cases where the platform was tested and validated

Experimental validation of compute and network resource abstraction and allocation mechanisms within an NFV infrastructure

Proceedings of: IFIP/IEEE International Symposium on Integrated Network Management (IM), 17-21 May 2021, Bordeaux, France.5G supported capabilities (e.g., slicing) enable accommodating heterogeneous vertical services having their own requirements over a common cloud and transport infrastructure. In this context, the EU-H2020 5Growth project defines a service and infrastructure orchestration architecture to automatically deploy network services (NSes) fulfilling vertical demands. In this architecture, the Service Orchestrator (5Gr-SO), as a service provider, maps the vertical service needs into NS requirements (e.g., CPU, RAM, bandwidth, etc.). The 5Gr-SO interacts with an underlying infrastructure orchestrator referred to as 5Gr-RL. The 5Gr-RL, as an infrastructure provider, handles two main functions: i) abstraction of the resources exposed to the 5GrSO, and ii) fine-grained resource selection. Different interaction forms between both 5Gr-SO and 5Gr-RL arise differing in the exchanged abstracted information and resource allocation. We present two 5Gr-SO and 5Gr-RL interaction solutions stemming from two 5Gr-RL operational modes: Infrastructure Abstraction (InA) and Connectivity Service Abstraction (CSA). In the InA approach, the 5Gr-SO is granted with an aggregated view of the computing resources and a set of transport logical links between the cloud locations. In the CSA strategy, besides the aggregated view of the cloud resources, the logical links are associated to potential connectivity service types. Both InA and CSA strategies are presented describing their pros and cons. Moreover, the designed workflows (involving the devised abstraction and allocation algorithms) between the 5Gr-SO and 5Gr-RL entities are experimentally validated. Scalability studies are conducted upon two different cloud and transport infrastructure sizes in terms of the abstraction composition time, the expansion computation time, and total NS deployment time.Work supported in part by EU Commission H2020 5Growth project (Grant No. 856709), Spanish MICINN AURORAS (RTI2018-099178-B-I00) and Spanish MINECO 5G-REFINE (TEC2017-88373-R) projects and Generalitat de Catalunya grant 2017 SGR 1195

An Experimental SDN Proposal over Legacy GPONs to Allow Real-Time Service and Residential Network Reconfiguration

Producción CientíficaIn this paper we propose an experimental SDN (Software Defined Networking) solution over legacy GPON (Gigabit Passive Optical Network) equipment that allow a control of the network configuration and its services. On the one hand, the proposal permits to move certain global bandwidth and service configuration policies outside the GPON so that they can be managed centrally by an SDN controller. In legacy PONs the real-time bandwidth allocation process is made inside the network infrastructure cycle by cycle between the OLT (Optical Line Terminal) and the ONTs (Optical Network Terminals) so the network performance could be adversely affected due to the latency between the SDN controller and the PON. In contrast, the control of some global DBA strategies by SDN techniques could lead to better network and management configuration and therefore our proposal is able to dynamically adjust these policies according to the real-time Quality of Service (QoS) requirements of residential users. On the other hand, the designed SDN proposal permits network subscribers to control the performance of their residential homes. In this way, they can set constraints and dynamically customize the bandwidth of their connected devices in a very transparent and efficient way.Junta de Castilla y León (Project VA085G19)Ministerio de Economía, Industria y Competitividad (Project TEC2017-84423-C3-1-P)INTERREG V-A España-Portugal (POCTEP) program (0677_DISRUPTIVE_2_E

End-to-end network service orchestration in heterogeneous domains for next-generation mobile networks

5G marks the beginning of a deep revolution in the mobile network ecosystem, transitioning to a network of services to satisfy the demands of new players, the vertical industries. This revolution implies a redesign of the overall mobile network architecture where complexity, heterogeneity, dynamicity, and flexibility will be the rule. Under such context, automation and programmability are essential to support this vision and overcome current rigid network operation processes. Software Defined Networking (SDN), Network Function Virtualization (NFV) and Network slicing are key enabling techniques to provide such capabilities. They are complementary, but they are still in its infancy and the synergies between them must be exploited to realise the mentioned vision. The aim of this thesis is to further contribute to its development and integration in next generation mobile networks by designing an end-to-end (E2E) network service orchestration (NSO) architecture, which aligned with some guidelines and specifications provided by main standardization bodies, goes beyond current management and orchestration (MANO) platforms to fulfil network service lifetime requirements in heterogeneous multi-technology/administrative network infrastructures shared by concurrent instances of diverse network services. Following a bottom-up approach, we start studying some SDN aspects related to the management of wireless network elements and its integration into hierarchical control architectures orchestrating networking resources in a multi-technology (wireless, optical, packet) infrastructure. Then, this work is integrated in an infrastructure manager module executing the joint resource abstraction and allocation of network and compute resources in distributed points of presence (PoPs) connected by a transport network, aspect which is not (or lightly) handled by current MANO platforms. This is the module where the integration between NFV and SDN techniques is executed. This integration is commanded by a Service Orchestrator module, in charge of automating the E2E lifecycle management of network services implementing network slices (NS) based on the vertical requirements, the available infrastructure resources, and, while fulfilling service level agreement (SLA) also during run-time operation. This architecture, focused on single administrative domain (AD) scenarios, constitutes the first group of contributions of this thesis. The second group of contributions evolves this initial architecture to deal with the orchestration and sharing of NS and its network slice subnet instances (NSSIs) involving multiple ADs. The main differential aspect with current state-of-the-art solutions is the consideration of resource orchestration aspects during the whole orchestration process. This is fundamental to achieve the interconnection of NSSIs, hence making the E2E multi-domain orchestration and network slicing a reality in practice. Additionally, this work also considers SLA management aspects by means of scaling actions during run-time operation in such complex scenarios. The third group of contributions demonstrate the validity and applicability of the resulting architectures, workflows, and interfaces by implementing and evaluating them in real experimental infrastructures featuring multiple ADs and transport technologies interconnecting distributed computing PoPs. The performed experimentation considers network service definitions close to real vertical use cases, namely automotive and eHealth, which help bridging the gap between network providers and vertical industries stakeholders. Experimental results show that network service creation and scaling times in the order of minutes can be achieved for single and multi-AD scenarios, in line with 5G network targets. Moreover, these measurements serve as a reference for benchmarking the different operations involved during the network service deployment. Such analysis are limited in current literature.5G marca el inicio de una gran revolución en las redes móviles, convirtiéndose en redes orientadas a servicios para satisfacer las demandas de nuevos actores, las industrias verticales. Esta revolución supone un rediseño total de la arquitectura de red donde la complejidad, heterogeneidad, dinamicidad y flexibilidad serán la norma. En este contexto, la automatización y programabilidad serán esenciales para superar los rígidos procesos actuales de operación de red. Las redes definidas por software (SDN), la virtualización de funciones de red (NFV) y el particionamiento de redes son técnicas clave para proporcionar dichas capacidades. Éstas son complementarias, pero aún recientes y sus sinergias se deben explotar para realizar la nueva visión. El objetivo de esta tesis es contribuir a su desarrollo e integración en la nuevas generaciones de redes móviles mediante el diseño de una arquitectura de orquestación de servicios de red (NSO) extremo a extremo (E2E), que alineada con algunas pautas y especificaciones de los principales organismos de estandarización, va más allá de los actuales sistemas de gestión y orquestación (MANO) para instanciar y garantizar los requisitos de los diversos servicios de red desplegados concurrentemente en infraestructuras heterogéneas compartidas que combinan múltiples tecnologías y dominios administrativos (AD). Siguiendo un enfoque ascendente, comenzamos a estudiar aspectos de SDN relacionados con la gestión de elementos de red inalámbricos y su integración en arquitecturas jerárquicas de orquestación de recursos de red en infraestructuras multi tecnología (inalámbrica, óptica, paquetes). Luego, este trabajo se integra en un módulo de administración de infraestructura que ejecuta de forma conjunta la abstracción y la asignación de recursos de red y computación en múltiples puntos de presencia (PoP) distribuidos conectados por una red de transporte, aspecto que no está (o ligeramente) considerado por los actuales sistemas MANO. Este módulo ejecuta la integración de las técnicas NFV y SDN. Esta integración está dirigida por el módulo Orquestador de Servicios, que automatiza la gestión E2E del ciclo de vida de los servicios de red implementando las diferentes particiones de red en base a los requisitos de los verticales, los recursos de infraestructura disponibles y mientras cumple los acuerdos de nivel de servicio (SLA) durante la operación del servicio. Esta arquitectura, centrada en escenarios con un único AD, forma el primer grupo de contribuciones de esta tesis. El segundo grupo de contribuciones evoluciona esta arquitectura abordando la orquestación y compartición de particiones de red y sus componentes (NSSIs) en escenarios con múltiples AD. La consideración detallada de aspectos de orquestación de recursos es el principal aspecto diferencial con la literatura. Esto es fundamental para la interconexión de NSSIs, haciendo realidad la orquestación E2E y el particionamiento de red en escenarios con múltiples AD. Además, se considera la gestión de SLA mediante acciones de escalado durante la operación del servicio en los escenarios mencionados. El tercer grupo de contribuciones valida las arquitecturas, procedimientos e interfaces resultantes pues se han implementado y evaluado sobre infraestructuras experimentales reales que presentan múltiples AD y tecnologías de transporte interconectando PoP distribuidos. Esta experimentación considera definiciones de servicios de red cercanos a casos de uso de verticales reales, como automoción y eHealth, ayudando a cubrir la brecha entre los proveedores de red y los verticales. Los resultados experimentales muestran que la creación y el escalado de servicios de red se pueden realizar en pocos minutos en escenarios con un único o múltiples ADs, en línea con los indicadores de red objetivos de 5G. Estas medidas, escasas en la literatura actual, sirven como referencia para caracterizar las diferentes operaciones involucradas durante el despliegue de servicios.Postprint (published version

Security at the Edge for Resource-Limited IoT Devices

The Internet of Things (IoT) is rapidly growing, with an estimated 14.4 billion active endpoints in 2022 and a forecast of approximately 30 billion connected devices by 2027. This proliferation of IoT devices has come with significant security challenges, including intrinsic security vulnerabilities, limited computing power, and the absence of timely security updates. Attacks leveraging such shortcomings could lead to severe consequences, including data breaches and potential disruptions to critical infrastructures. In response to these challenges, this research paper presents the IoT Proxy, a modular component designed to create a more resilient and secure IoT environment, especially in resource-limited scenarios. The core idea behind the IoT Proxy is to externalize security-related aspects of IoT devices by channeling their traffic through a secure network gateway equipped with different Virtual Network Security Functions (VNSFs). Our solution includes a Virtual Private Network (VPN) terminator and an Intrusion Prevention System (IPS) that uses a machine learning-based technique called oblivious authentication to identify connected devices. The IoT Proxy’s modular, scalable, and externalized security approach creates a more resilient and secure IoT environment, especially for resource-limited IoT devices. The promising experimental results from laboratory testing demonstrate the suitability of IoT Proxy to secure real-world IoT ecosystems

A Link-Layer Virtual Networking Solution for Cloud-Native Network Function Virtualisation Ecosystems: L2S-M

Microservices have become promising candidates for the deployment of network and vertical functions in the fifth generation of mobile networks. However, microservice platforms like Kubernetes use a flat networking approach towards the connectivity of virtualised workloads, which prevents the deployment of network functions on isolated network segments (for example, the components of an IP Telephony system or a content distribution network). This paper presents L2S-M, a solution that enables the connectivity of Kubernetes microservices over isolated link-layer virtual networks, regardless of the compute nodes where workloads are actually deployed. L2S-M uses software-defined networking (SDN) to fulfil this purpose. Furthermore, the L2S-M design is flexible to support the connectivity of Kubernetes workloads across different Kubernetes clusters. We validate the functional behaviour of our solution in a moderately complex Smart Campus scenario, where L2S-M is used to deploy a content distribution network, showing its potential for the deployment of network services in distributed and heterogeneous environments.This article has partially been supported by the H2020 FISHY Project (Grant agreement ID: 952644) and by the TRUE5G project (PID2019-108713RB681) funded by the Spanish National Research Agency (MCIN/AEI/10.13039/5011000110)

Enabling Scalable and Sustainable Softwarized 5G Environments

The fifth generation of telecommunication systems (5G) is foreseen to play a fundamental role in our socio-economic growth by supporting various and radically new vertical applications (such as Industry 4.0, eHealth, Smart Cities/Electrical Grids, to name a few), as a one-fits-all technology that is enabled by emerging softwarization solutions \u2013 specifically, the Fog, Multi-access Edge Computing (MEC), Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) paradigms. Notwithstanding the notable potential of the aforementioned technologies, a number of open issues still need to be addressed to ensure their complete rollout. This thesis is particularly developed towards addressing the scalability and sustainability issues in softwarized 5G environments through contributions in three research axes: a) Infrastructure Modeling and Analytics, b) Network Slicing and Mobility Management, and c) Network/Services Management and Control. The main contributions include a model-based analytics approach for real-time workload profiling and estimation of network key performance indicators (KPIs) in NFV infrastructures (NFVIs), as well as a SDN-based multi-clustering approach to scale geo-distributed virtual tenant networks (VTNs) and to support seamless user/service mobility; building on these, solutions to the problems of resource consolidation, service migration, and load balancing are also developed in the context of 5G. All in all, this generally entails the adoption of Stochastic Models, Mathematical Programming, Queueing Theory, Graph Theory and Team Theory principles, in the context of Green Networking, NFV and SDN

Static analysis for discovering IoT vulnerabilities

The Open Web Application Security Project (OWASP), released the \u201cOWASP Top 10 Internet of Things 2018\u201d list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia\u2019s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies